Node.js
This hub aggregates every CVE we track for Node.js, a product in the databases space. Use it to gauge the current risk picture and drill into individual advisories.
242
CVEs tracked
22
Critical
126
High
1
In CISA KEV
Severity distribution
HIGH126MEDIUM81CRITICAL22LOW13
Monthly trend
2
0
8
0
1
0
4
1
0
0
5
2
2
1
1
1
1
0
16
1
7
0
0
0
2024-072026-06
Latest CVEs
The 15 most recently published vulnerabilities affecting Node.js.
- CVE-2026-21717A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such co...5.9
- CVE-2026-21714A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The...5.3
- CVE-2026-21713A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes...5.9
- CVE-2026-21710A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this oc...7.5
- CVE-2026-21716An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fch...3.3
- CVE-2026-21715A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce ...3.3
- CVE-2026-21712A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashin...5.7
- CVE-2026-25547Uncontrolled Resource Consumption in @isaacs/brace-expansion8.6
- CVE-2026-24842node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal8.2
- CVE-2026-22795Missing ASN1_TYPE validation in PKCS#12 parsing5.5
- CVE-2025-69421NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function7.5
- CVE-2025-11187Improper validation of PBMAC1 parameters in PKCS#12 MAC verification6.1
- CVE-2026-0775npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability7.0
- CVE-2026-24001jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch7.5
- CVE-2026-21636A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled input...10.0
Product normalization is registry-driven with AI assist and human review. How it works